Monday, May 8, 2017

When we started our Windows 10 project last year, it was decided that we need to support 85% of our entire device fleet which are HP business client devices

At the same time, we also agreed on a “Security first” approach which means that Windows 10 will only be rolled out in UEFI boot mode with Secure Boot on and, if supported, with a TPM 2.0 firmware. This is required to get the maximum benefit from the security features in Windows 10 like Device Guard.

Given that most devices has never received a regular firmware update, it was clear that we need BIOS updates, TPM updates and BIOS setting changes on nearly all devices. As we use our device three to five years, this meant we need to support about 20 different HP models.

The “classic” way would be to create a job/script that does all changes for exactly one model, declare this model as “Supported” and move on to the next model. The PowerShell scripts required for this would be copied so at the end we would have 20 slightly different scripts and if we need to support future devices, it would be even more. On top of that, there would be no central place we could check which BIOS version we install on model X.

We decided to use a complete different approach, with the following design goal:

A TPM upgrade from 1.2 to 2.0 could lead to a LOWER firmware version because the firmware is from a different vendor (never happened for HP so far, but this is at least possible for DELL and I wanted the script to be prepared)

For TPM upgrades it is also necessary to full decrypt BitLocker it it’s in use since all keys will be lost during the TPM upgrade flash.

The details why something went wrong are in the private log files of the HP tools, so they need to be appended to the “main” log file to know what went wrong.

Finally, we found out that we have several BIOS passwords in use so the script needed some way to test several passwords until the correct one is found.

I spare you the details of how many tries it took until I got it right, but the first version BIOS Sledgehammer went into production in 2016-11 and was used on 500 machines since then with exactly one defect so far that was caused by a power loss during the upgrade process.